Mutillidae is a free and open source web application for website penetration testing and hacking which was developed by Adrian “Irongeek” Crenshaw and Jeremy “webpwnized” Druin. It is designed to be exploitable and vulnerable and ideal for practicing your Web Fu skills like SQL injection, cross site scripting, HTML injection, Javascript injection, clickjacking, local file inclusion, authentication bypass methods, remote code execution and many more based on OWASP (Open Web Application Security) Top 10 Web Vulnerabilties:

A1-Injection

A2-Cross Site Scripting (XSS)

A3-Broken Authentication and Session Management

A4-Insecure Direct Object References

A5-Cross Site Request Forgery (CSRF)

A6-Security Misconfiguration

A7-Insecure Cryptographic Storage

A8-Failure to Restrict URL Access

A9-Insufficient Transport Layer Protection

A10-Unvalidated Redirects and Forwards

– ** –

Before we can install Mutillidae, we need to configure our LAMP (Linux Apache Mysql PHP, Python or Perl) server first. First we need to install Apache, type this in your terminal:

sudo apt-get install apache2

Then install PHP:

sudo apt-get install php5 libapache2-mod-php5

Install the MYSQL server:

sudo apt-get install mysql-server

After that it should prompt you to setup the password for your Mysql server. In my case, I put ‘mysqlroot’ as my password just for demo purposes really although it’s not really advisable to use a weak password in a live server.

Now setup your phpmyadmin (Optional):

sudo apt-get install libapache2-mod-auth-mysql php5-mysql phpmyadmin

Change the permission of your /var/www folder to make sure you will have all the rights to read, write and execute files by typing this command in your terminal:

sudo chmod -R 0777 /var/www

To check if the installation is successful navigate through this link in your browser: http://localhost/ or http://127.0.0.1/

If you see something that says ‘It Works!’ then you are done setting up your LAMP server. Now time to install Mutillidae! Download and extract Mutillidae in the /var/www directory:

sudo -s

cd /var/www

wget http://www.irongeek.com/mutillidae/mutillidae1.5.zip

unzip mutillidae1.5.zip

Next up we need to configure the config.inc which contains the dbhost, dbuser, dppass, and dbname configurations:

cd mutillidae

gedit config.inc

By default the value $dbpass is left blank so we need to put the root password for Mysql which you entered during the installation of mysql-server. In my case I put mysqlroot.

Make sure you have already started the services for Mysql and Apache but if not you can just type these commands in the terminal:

service mysql start

service apache2 start

Then open your web browser again and point it to 127.0.0.1/mutillidae/ or localhost/mutillidae/. Next, let’s have the web application setup the database automatically by clicking Core Controls > Setup/Reset the DB at the left side or Setup/Reset the DB at the upperight corner.

The link should take you to 127.0.0.1/mutillidae/set-up-database.php.

If you see no errors then you are ready to play with Mutillidae. =)

Manual SQL Injection

Now time for some action! \m/

For me, the best way to understand and learn SQL (Structured Query Language) Injection if you are into web application penetration testing is to learn it manually rather than using automated tools and set up an open source web application that is vulnerable. Although I don’t discourage using tools for automation since tools can also be of great help. My only point is that, we should at least get familiar with the use of SQL statements for attacking a web application.

To tell you honestly, I learned manual SQL Injection with the help of a mentor without any knowledge about SQL and PHP; and when I already had a formal class at college about SQL, Database Management, and PHP I was able to apply it and enjoyed it. So thank you mentor.. (You know who you are)

Simple Bypass Authentication

This is one of the pages where you can practice SQL Injection. Yeah, a login form:

Let’s try to insert ‘ (single quote) to check if we can to cause errors to see how the web application reacts.

As what we can see from the image above, the actual SQL Query is SELECT * FROM accounts WHERE username=” AND password=”, if that is the case then we can attack this application using a simple bypass authentication method like inserting ‘ or ’1′ = ’1 on the password field which then forces the login form a selection of a valid password because the evaluation of ’1′=’1′ is always true. The query pulls out all the columns of the accounts table because it says SELECT * FROM accounts.

Finding the number of columns

To find the number of columns we use the ORDER BY syntax and increment the number by 1 until the site returns to error. We use a comment character at the end or you may use the comment sequence: - -. We insert this on the login form (you can choose username/password filed):

‘ order by 1 #

‘ order by 2 #

‘ order by 3 #

‘ order by 4 #

And because the query ‘ order by 5 # returns an error therefore there are four columns in the table, it gives an error on the 5th column because it does not exist on the records.

Union Select 101

And now, we can use the UNION Select Statement for information gathering and recon attacks.

‘ union select 1,2,3,4 #

From the image above, you can tell that the page looked a bit messed up and that three numbers on the page appeared. These numbers are the column numbers we can get information from. We will replace them with statements later on. In fact you can just replace the values of the three numbers that are identical to the numbers you inputted on the union select. Take for example these:

‘ union select 1,2,’shipcode was here’,4 #

Finding the MySQL version

To determine the Mysql version use @@version / version() on the desired number of column where you can get information. For example I choose three then the statement should be:

This allows the attacker to gather some info about the directories and if he/she gets to see the /etc/shadow file then it’s possible for the attacker the crack the encrypted passwords.

Finding the table_names

Usually if the MySQL version is < 5 (4.x.x, 3.x.x, etc), column and table names can actually be guessed and the most common table names include: user/s, admin/s, member/s. But if you really wanna find the table name then you need to inject the website to find the table names. You can insert this syntax:

The query above will show only the tables for the database of this web application which is owasp10 because of the WHERE clause : where table_schema=database(). But if you don’t use the where clause, it will also show other tables of the databases in the system.

Finding the columns

So it’s obvious that we need to get the information from the accounts table_name. So what’s next is to find the all columns of the database. It’s just like getting the table_names because you just change table_name to column_name and information_schema.tables to information_schema.columns, the statement should be:

Pawning the username and passwords in the database of the web application

Now that we have the table names, and column names we can put them together and get some information from them.We need to use the union method to find the columns username and password from the table account. Thus, the statement below allows an attacker to dump the username and password of admin:

Jay Turla

Jay Turla is a Filipino security researcher, programming student, infosec enthusiast, open source advocate, and the blog manager of PenTest Laboratory. He is interested in Linux, OpenVMS, penetration testing and vulnerability assessment. He is one of the core team members of The ProjectX Blog and one of the bloggers and goons of ROOTCON (Philippine Hackers Conference).You can follow his tweets @shipcod3.

Our Clients Opinions

"I love the course. I seriously do. I think its great !! Hands on is what I really love about this approach, plus the practical up-to-date real world experience knowledge is very beneficial. For example, I remember in one lab whereas I wrote Jeremy about IP Class addressing. His reply to what I wrote was so true. In the real world you often times don't see what was taught in traditional schools as to how networks are built. At my job for instance their approach to networking is definitely different than what I was taught. Leaving my previous employer to this one was a real adjustment. So courses like CPLT is definitely giving me an edge to my "real world" understanding."